The names, addresses, birth dates and other personal data belonging to the 77 million customers on Sony's PlayStation Network were stolen by a hacker, the company said Tuesday.
The hack is among the largest data thefts in history.
In a lengthy post on its PlayStation blog, the company added: "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."
Children with accounts made by their parents also may have had their data taken, Sony added.
Sony's PlayStation online service has been down for about a week since the catastrophic attack.
Account information for the PlayStation Network and its Qriocity service users was compromised between April 17 and April 19.
The service allows gamers to buy and play video games on their PlayStation consoles, as well as rent and stream movies through Netflix.
Sony decided last week to rebuild the entire network to make it more secure, and says it could be back up this week.
Once it is back online, Sony recommends its users change their passwords and usernames.
The company also said users could place fraud alerts on their credit cards.
Anonymous, a well-known and feared hacking group, said they weren't the culprit behind the attack.
"For once we didn't do it," they said on their website.
There are more than 1.5 million PlayStation Network users in Canada.
Sony's online network launched in fall 2006. Unlike its main competitor, Microsoft's Xbox Live, there are no subscription fees.
Xbox Live has not suffered a similar devastating attack. The incident is a major blow to Sony which is in a fierce battle with Microsoft and Nintendo on the console market.
The online gaming networks are hubs for tens of millions around the globe. Gamers can spend hours cooperating with each other on fantasy quests or shooting at each other in games like "Call of Duty: Modern Warfare 2."
The outage of the PlayStation Network has angered many users, who have taken to Twitter or Facebook to complain.
Tuesday night, many Twitter users were outraged Sony took six days to tell its customers their credit card data could be at risk.